A question came up when implementing unsafe-inline for style-src. The
spec says:
/If //|'unsafe-inline'|//is //*not*//in /allowed style sources
* /Whenever the user agent would apply style from a
//|style|//element, instead the user agent //|/must/|//ignore the
style./
* /Whenever the user agent would apply style from a
//|style|//attribute, instead the user agent //|/must/|//ignore the
style./
/Note: These restrictions on inline do not prevent the user agent from
applying style from an external stylesheet (e.g., found via //|<link
rel="stylesheet">|//). /
If a style tag or style attributes are set in html, it is clearly a case
of unsafe-inline. But if styles are set in javascript (inline
javascript or src'ed javascript), are they considered unsafe-inline?
Here are some examples we are unsure about:
* doc.body.appendChild(doc.createElement("style"));
* doc.body.setAttribute("style", "...");
* doc.body.style.background = "...";
* bgcolor attributes appearing in the markup
* <font> elements appearing in the markup
* doc.body.appendChild(doc.createElement("font"));
* doc.body.bgcolor = "...";
* doc.body.innerHTML = "<style>...</style>";
How does WebKit handle these cases? Our guess is that whenever a user
agent applies css from a <style> tag or style attribute, it would be
unsafe-inline. That would mean, these cases would result in
unsafe-inline that is blocked:
* doc.body.appendChild(doc.createElement("style"));
* doc.body.innerHTML = "<style>...</style>";
* doc.body.setAttribute("style", "...");
Thanks!
~Tanvi